2011.12.12 20:22 "[Tiff] considering packaging 4.0 beta in debian "unstable"", by Jay Berkenbilt

2011.12.12 21:26 "Re: [Tiff] considering packaging 4.0 beta in debian "unstable"", by Jay Berkenbilt

On 12/12/2011 03:33 PM, Bob Friesenhahn wrote:

Before I took this action, I wanted to run it by the maintainers of the tiff library. I do release, of course, that there is very limited time and resources on the tiff library right now, so this should definitely not be construed as a complaint. It's just a recognition of the reality that tiff 4.0.0 is being "allowed to escape" even if it hasn't been "released", and this is my attempt at decreasing the degree to which this might pose a problem. The good news is that I have extremely limited time as well, so it may take me a while to actually package 4.0.0 beta 7 for debian! But it's realistic that I could find the time in the next couple of months.

Would it help considerably if there was a 4.0.0 "release" which is substantially similar to the current "beta" code?

It probably would.

Another option to packaging 4.0.0 beta 7 is to roll an informal release out of the current CVS. As security fixes have been announced on the 3.9.x branch, I have continued to locate them in CVS and to backport them into 4.0.0 beta 7, so as far as I know, debian's 4.0.0 beta 7 contains all previously publicized security fixes. I can't absolutely guarantee that, but it has been my intention for that to be true.

Have these security fixes been posted to the libtiff bug tracker, and, if so, have the fixes been making it into libtiff CVS?

The only place I have ever gotten security fixes from is libtiff CVS. I shouldn't have said "backported" as that implies that I did the work. Whenever there has been a CVE bulletin with a patch, I've found the fix in the 3.9 branch, found the corresponding fix on the trunk, and cherry picked it, applying it to the 4.0 beta 7 release.

I don't receive any notifications from the libtiff bug tracker so I don't know if new bugs have been posted and need to rely on those who do receive such notifications to do the right thing.

Having 4.0.0 final would increase the likelihood that problems lurking in 4.0.0 would be found and reported through the normal channels. I'm probably downstream of you since I only find out about things when the debian security team tells me. Sometimes it's before a public announcement, but it's never before a fix has been created.